01 - generate_saml_assertion.php

<?php

// URL & credentials
$url = "https://api.<us or eu>.onelogin.com/api/1/saml_assertion";
$access_token = "<access_token>";

// Parameters
$username_or_email = "<username_or_email>";
$password = "<password>";
$app_id = "<app_id>";
$subdomain = "<subdomain>";
// $ip_address = "<ip_address>";  // Optional

$authorization = "bearer:$access_token";

$user_data = array (
    "username_or_email" => $username_or_email,
    "password" => $password,
    "app_id" => $app_id,
    "subdomain" => $subdomain
);
if (isset($ip_address) && !empty($ip_address)) {
    $user_data['ip_address'] = $ip_address;
}

$data_string = json_encode($user_data);

$ch = curl_init($url);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($ch, CURLOPT_POSTFIELDS, $data_string);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
$header_opts = array(
    'Content-Type:application/json',
    'Authorization:'.$authorization,
    'Content-Length: ' . strlen($data_string)
);
curl_setopt($ch, CURLOPT_HTTPHEADER, $header_opts);

$result = curl_exec($ch);
if ($result !== false) {
    $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
    $body = substr($result, $header_size);
    $result_data = json_decode($body);
    if ($result_data->status->error == true) {
        $errorMsg = $result_data->status->code. ", ".$result_data->status->type;
        $errorMsg .= " || " . $result_data->status->message;
        throw new Exception($errorMsg);
    } else {
        if (property_exists($result_data, 'data')) {
            if (is_array($result_data->data)) {
                $state_token = $result_data->data[0]->state_token;
                $devices = $result_data->data[0]->devices;
                $callback_url = $result_data->data[0]->callback_url;
                $user = $result_data->data[0]->user;
            } else {
                $saml_response = $result_data->data;
            }
        } else {
            // Pending
            $message = $result_data->status->message;
        }
    }
} else {
    throw new Exception(curl_error($ch), curl_errno($ch));
}

curl_close($ch);

02 - verify_factor.php

<?php

// URL & credentials
$url = "https://api.<us or eu>.onelogin.com/api/1/saml_assertion/verify_factor";
$access_token = "<access_token>";

// Parameters
$app_id = "<app_id>";
$device_id = "<device_id>";
$state_token = '<state_token>';
$otp_token = '<otp_token>';  // Optional

$authorization = "bearer:$access_token";
$data = array (
    "app_id" => $app_id,
    "device_id" => $device_id,
    "state_token" => $state_token
);
if (!empty($otp_token)) {
    $data['otp_token'] = $otp_token;
}

$data_string = json_encode($data);

$ch = curl_init($url);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($ch, CURLOPT_POSTFIELDS, $data_string);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
$header_opts = array(
    'Content-Type:application/json',
    'Authorization:'.$authorization,
    'Content-Length: ' . strlen($data_string)
);
curl_setopt($ch, CURLOPT_HTTPHEADER, $header_opts);

$result = curl_exec($ch);
if ($result !== false) {
    $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
    $body = substr($result, $header_size);
    $result_data = json_decode($body);
    if ($result_data->status->error == true) {
        $errorMsg = $result_data->status->code. ", ".$result_data->status->type;
        $errorMsg .= " || " . $result_data->status->message;
        throw new Exception($errorMsg);
    } else {
        if (isset($result_data->data)) {
            $saml_response = $result_data->data;
        } else {
            //Authentication pending
        }
    }
} else {
    throw new Exception(curl_error($ch), curl_errno($ch));
}

curl_close($ch);